Postfix configuration for SASL SMTP authentication

Hi,

In these notes I will share, what I learned in getting SASL SMTP authentication to work on a Debian Lenny server with Virtualmin GPL. This is probably quite obvious to experienced Postfix users - it wasn't so obvious to me when I expected to just configure it through the Webmin/Virtualmin UI alone, without having to fix the config files manually.

Purpose: Allow logins from any IP via SMTP authentication using TSL with clients such as Thunderbird for sending mail via SMTP.

Settings in Webmin -> Postfix Mail Server -> SMTP Authentication And Encryption:SMTP relaying restrictions [x] Allow connections from same network Allow connections from this system Reject clients with no reverse hostname [x] Allow authenticated clients Reject email to other domains Allow only relay domains Allow domains this system is a backup MX for

Enable SASL SMTP authentication? [x] Yes
Handle non-compliant SMTP clients? [x] Yes

SMTP security options
[x] Reject anonymous logins Reject plain-text logins

SMTP relaying restrictions [x] Allow connections from same network Allow connections from this system Reject clients with no reverse hostname [x] Allow authenticated clients Reject email to other domains Allow only relay domains Allow domains this system is a backup MX for

Delay clients with failed logins? [x] Yes
Enable TLS encryption? [x] Yes
TLS certificate file [x] /etc/ssl/certs/ssl-cert-snakeoil.pem TLS private key file [x] /etc/ssl/private/ssl-cert-snakeoil.key TLS certificate authority file [x] None Supposedly these settings should work, but they will produce the following error: Jun 6 17:38:04 mydomain postfix/smtpd[13534]: fatal: parameter "smtpd_recipient_restrictions": specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit Jun 6 17:38:05 mydomain postfix/master[5703]: warning: process /usr/lib/postfix/smtpd pid 13534 exit status 1

Therefore, any attempted logins with an SMTP client like Thunderbird will fail.

The postfix configuration file main.cf did not have any of these options specified: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit

In /etc/postfix/main.cf we find: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated

Changing this to: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject

...will achieve the following: permit_mynetworks: basically allows localhost like Usermin to send mail permit_sasl_authenticated: permits users from any IP, as long as they are authenticated to send mail reject: will reject all others and keep postfix happy (this needs to be the last option on the line)

Rememeber to reload the configuration: /etc/init.d/postfix reload

The added 'reject' at the end will not be parsed by Webmin and will end up in the wrong location, if you change any of the settings in 'SMTP relaying restrictions' in 'SMTP Authentication And Encryption'. Alternatively the same settings can be accessed from Webmin -> Postfix Mail Server -> SMTP Server Options -> Restrictions on recipient addresses. I wonder, why the same settings appear in two places.

As there is probably more than one way to get this working and to combine these options, please let me know, if there are easier or better ways to set this up in Webmin/Virtualmin.

Christian

Links: http://www.postfix.org/SASL_README.html http://www.postfix.org/postconf.5.html<br><br>Post edited by: chriswayg, at: 2009/06/06 08:09